- Email: [email protected]
Conference report— COMPACS '88
Vol. 10, No. 9, Page 13 approaches the consultant intends to bring into the project. Organize a debriefing session after the project’s completion. The following aspects should be discussed with your management and staff: -
Were the consultants helpful?
-
Did you get what you wanted, i.e. meeting quality and timescale requirements?
-
Did you get more than you wanted? What additional benefits were obtained through the consultant’s involvement?
-
Were the recommendations practical?
-
Did you achieve the original project objectives?
-
Would you want to work with the consultant again?
-
What lessons have you learnt from the project experience? What do you need to look out for when using consultants again?
Conclusion A consultant gets a lot of job satisfaction when his work pleases the client. Like everyone else, he likes his work to be appreciated. The consultant is always learning on the job, particularly with difficult clients, when he has to double-check his work and be on his toes at all times. Equally, his work can be made easier and more pleasurable if the client understands his method of working and the constraints he has to work within. It is only in developing a mutual understanding and appreciation of each other’s needs and restrictions that one can be assured of a healthy and rewarding business relationship between the consultant and his client. Dr Ken Wong, BIS Applied Systems Ltd London
CONFERENCE REPORT COMPACS ‘88 The London Hilton in Park Lane was the venue for the Twelfth International Conference on Computer Audit Control and Security (COMPACS) run by the UK Institute of Internal Auditors on 22-25 March 1988. The conference attracted 960 day delegates. The conference theme was “The Impact of Emerging Technologies on Auditors” and the sessions were arranged on sub-themes to cover a broad review of current issues of interest to auditors and to control/security specialists. In the first session, Bill W. Murray, now of Ernst & Whinney, but formerly for 25 years with IBM, examined the impact of the convergence of computing, recording and communications technologies on computer audit control and security. He contrasted data security in the pre-computer age which was based on the security of the media (for example, holding paper-based records in lockable cabinets and mailing information in sealed envelopes) with that of computer systems. Contrary to popular belief, Murray argued, the computer had proved superior to paper so long as the environment was controlled as well as the media. A well-controlled computer system could restrict access to data and provide greater accountability by recording who had access to data and when. This combination of media and environmental controls would not however be adequate for the future. The new problem which had arisen was that the boundaries of the control environment may no longer be coincident with the boundaries of a single system or a single organization or institution. Planning and organizing effective access control systems in a wider environment is difficult enough when all of the application is on one readily identifiable system, usually all in one site and with a limited number of identifiable managers. “As the number of applications, systems, sites, managers and users in the environment goes up, it becomes increasingly difficult for anyone to have the necessary knowledge and influence to specify controls and access rules”,
COMPUTER FRAUD & SECURITY BULLETIN
0 1988 Elsevier Science Publishers Ltd., England. /SS/$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol. 10, No. 9, Page 14 Murray said. Controls over the integrity and confidentiality of data would need to be independent of both the media and the environment. Murray saw the solution to control in the joint use of the Data Encryption Standard and Rivest-Shamir-Adelman algorithms, and concluded that the application of crytography would be the major agenda item for the next two decades. Professor Krish Bhaskar of the Computer Industry Research Unit of the University of East Anglia, UK presented a paper entitled “A Secure Workstation for the 1990s”. He suggested that the greater power of workstations, their networking and their use for more diverse roles had brought an increased risk in terms of the perpetration of computer fraud. The solution was to devise a secure workstation environment by adopting a threat/countermeasures matrix approach. Having identified the threats and the counter-measures, risk analysis could be used to consider the possibility of threats and the cost/benefit measurement of alternative solutions. Bhaskar’s research however had suggested that the commercial products available at present were limited in the security that they provided. Most software packages for microcomputer systems offered little or no inherent security measures. “We have also found current security considerations to be modest in terms of the implementations found amongst both financial and other organizations. There are exceptions to this, but generally standards are low and will remain low until user awareness of computer crimes is increased and demand for improved provisions rises accordingly.” Richard Sizer of Logica SDS Ltd also commented on the effects on security of the knowledge and awareness of computer crime. He argued that while UK legislation in the form of the Official Secrets Act and the Data Protection Act has helped to form a security culture in the areas covered by those acts, the UK financial domain does not have a strong security culture in so far as information technology is concerned. He compared this with the US where there is a statutory obligation for fraud and embezzlement to be reported and
COMPUTER FRAUD & SECURITY BULLETIN
as a result the need for computer security appears to be taken more seriously. One particular target for attack is software. Since software is expensive to create and to maintain, common sense would dictate that it is a vulnerable element. Software can be threatened by modification, disclosure, interruption or destruction. “The most obvious form of attack is that of deliberate modification. The high profile victims of unauthorized program changes have been the banks and financial institutions, but it is clear that any company, organization or institution which uses a computer systems to facilitate financial or asset administration could be the victims of such attacks”, said Sizer. The possible resultant losses should not be underestimated. One would expect the detection of unauthorized changes to be the natural consequence of an established culture and well-defined security policy. The evidence would suggest, however, that the majority of detections have been ‘accidental’, security being either grossly insufficient or ineptly implemented. Security thinking, policies and responsibilities are not high enough on the agenda of commercial organizations.
Clive Blatchford of ICL also agreed that the security of information systems had been approached in a piece-meal ad-hoc fashion. Basic product security had been supplemented by customers with a range of control ‘add-ons’. Management had emphasized security enforcements through a wide range of human administrative actions. Little dependence had been placed on the electronic systems components to ‘police’ themselves and each other. This reliance upon human control had been found to be insufficient to protect against ‘insiders’ perpetrating a computer-related crime, especially where they have a high level of technical knowledge. Market research by ICL had shown that 75% of all such crimes were perpetrated by the customer’s own staff. The crimes embraced the three main security categories of loss of privacy, integrity and basic continuity or availability of service.
0 1988 Elsevier Science Publishers Ltd., England. /l36/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol.
10, No. 9, Page 15
Blatchford forecast that information systems in the 1990s would be characterized by information services being offered to end users with a recognized and inviolate level of security. Security architectures, standards and procedures which were in the public domain would, if followed, ensure maximum administrative and technical robustness. Systems solutions would have a graded level of administrative assurance and there would be increasingly independent certification of products and services. The problems and potential losses posed by weaknesses in computer security are not the only costs borne by organizations implementing technological solutions. COMPACS ‘88 delegates clearly recognized this, and the day which attracted the highest attendance was that which considered the control and audit issues of systems development. Rainer Burchett examined the risks of uncontrolled systems development and the strategic problems which occur when the applications to be developed are identified and chosen in an haphazard manner rather than in relation to the true needs of the business. A planned approach is required and the choice of applications should be decided by the use of cost-benefit justification. For those projects accepted, a structural development process must be introduced subject to management and quality control. One means of quality control was considered by Carol Westwood, a Systems and Process Quality Assurance Manager with the Unipart Group of Companies. Quality Assurance should produce high-level independent reports to Senior Management on systems functions performance, monitor the project management process, and carry out reviews during systems development and on a post-implementation basis to ensure that the system is delivering the benefits required and expected. The third aspect of systems development is that of designing controls is during new systems developments. Jerry Fitzgerald outlined his ‘Control Matrix’ approach and demonstrated the use of software to automate the process (for a description of Fitzgerald’s Control Matrix
COMPUTER FRAUD & SECURITY BULLETIN
approach, see the January 1988 edition of CFSB). David Bentley President Institute of In ternal Auditors UK Stephen Dance adds: During his lecture, Bill Murray of Ernst & Whinney startled the audience by revealing that DEC VAX computers were the most often ‘hacked’ of all computer systems. This was not, he emphasized, due to any particular weakness in VAX software. Rather, the underlying reasons are of a more fundamental nature and can easily be dealt with by any installation. DEC VAX computers are extensively used in educational establishments where the users are actively encouraged to learn as much as possible about the system. Consequently, detailed information such as technical documentation is readily available. From this documentation, students can obtain detailed explanations and usage instructions for systems software products, database and communications software. Of particular interest may be the systems installation manuals in which the system managers’ and system engineers’ passwords are often detailed. These passwords are already set when a system is delivered to enable the supplied software to be installed. Often these passwords are not changed when implementation is complete. It is this lax password control and ready availability of information, said Mr Murray, which makes the VAX the most ‘hacked’ machine. The passwords in question confer high systems privileges on the holder, and detailed information regarding VAX software has enabled hackers to establish connections with installations from one end of the country to another - and even across continents. It was then revealed why some installations and their networks are continually being hacked. Again, exotic technical considerations are not the reason. Hackers tend to co-operate with one another and, via their underground bulletin boards, publish ‘sweet lists’.
o 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol.
10, No. 9, Page 16 about security. Security for Small Computer Systems uses non-technical language to enable the non-specialist office user to understand the basic concepts of PC security. The result of an EEC Small System Security research project, this book was written by staff from four
A ‘sweet list’ is a list of passwords which have worked or are likely to work on a particular computer system. Apparently, the initial values of the system engineer’s and system manager’s passwords figure highly in these lists. And, because, when they are supplied, these passwords are very simple, they are also easy to guess. It is not difficult to see how quickly this information can be disseminated and how many different individuals could have the
European computer companies. The cover price is f35, Discounts for multiple orders are also available.
opportunity to gain unauthorized computer installation.
The PC Security Guide is an invaluable reference guide for the UK, US or European
access to a
user searching The overall message is that the risks of being ‘hacked’ can be greatly reduced by sound password control and administration. Avoiding obvious passwords and regular password changes make things much more difficult for the would-be hacker.
NEW ELSEVIER
for hardware or software to
protect his PC. Aimed primarily at the IBM and compatible market, the book also lists software compatibility with other PCs and mainframes. It is written by two regular contributors to CFSB, Dr Keith Jackson and Dr Jan Hruska. This f95 directory will be revised on an annual basis. For more information on both books, contact: Edward Wilding, Marketing Executive, Elsevier Advanced Technology Publications, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK; tel: 0865512242; fax: 0865-516120.
PUBLICATIONS
Two special reports about to be published by Elsevier Advanced Technology Publications will be of enormous use to the PC user worried
Computer Fraud & Security Subscription Price (inc. shipping & handling) iT $ 265.00 135.00 1 year (12 issues) 3 years (36 issues) 635.00 325.00
Dfl. 630.00 1510.00
Subscription enquiries, orders and payments: Elsevier Services (UK) Crown House Lmton Road Barking Essex IGll8JU England Tel: 01-594-7272
Elsevrer Advanced Technology 52 Vanderbilt Avenue New York, NY 10017 USA Tel: (212) 370-5520
Publications
Editorial enquiries: Elsevier Advanced Technology Mayfield House 256 Banbury Road Oxford OX2 7DH England Tel: (0865) 512242
Publications
No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Special regulations for readers In the U.S.A.
ADVANCED TECHNOLOGY
This publication has been reglstered with the Copynght Clearance Center Inc Consent IS gwen for copymg of articles for personal or mternal use, or for the personal use of specific chents. The consent 1s gwen on the condition that the copier pays through the Center the per-copy fee stated m the code on each page for copymg beyond that perrmtted by Sectlons 107 or 108 of the U.S. Copynght Law. The appropriate fee should be forwarded with a copy of each page reproduced to the CopyrIght Clearance Center Inc., 21 Congress Street, Salem MA 01970. U.S.A. This consent does not extend to other kmds of copying, such as for general distribution, resale, advertismg and promotlon purposes, or for creating new collective works. Special written permission must be obtamed from the pubhsher for such copymg.
ELICATIONS
Pr,n,ed ,n Great !3r,,a,n by Express L,tho Service (Oxford)
Were the consultants helpful?
-
Did you get what you wanted, i.e. meeting quality and timescale requirements?
-
Did you get more than you wanted? What additional benefits were obtained through the consultant’s involvement?
-
Were the recommendations practical?
-
Did you achieve the original project objectives?
-
Would you want to work with the consultant again?
-
What lessons have you learnt from the project experience? What do you need to look out for when using consultants again?
Conclusion A consultant gets a lot of job satisfaction when his work pleases the client. Like everyone else, he likes his work to be appreciated. The consultant is always learning on the job, particularly with difficult clients, when he has to double-check his work and be on his toes at all times. Equally, his work can be made easier and more pleasurable if the client understands his method of working and the constraints he has to work within. It is only in developing a mutual understanding and appreciation of each other’s needs and restrictions that one can be assured of a healthy and rewarding business relationship between the consultant and his client. Dr Ken Wong, BIS Applied Systems Ltd London
CONFERENCE REPORT COMPACS ‘88 The London Hilton in Park Lane was the venue for the Twelfth International Conference on Computer Audit Control and Security (COMPACS) run by the UK Institute of Internal Auditors on 22-25 March 1988. The conference attracted 960 day delegates. The conference theme was “The Impact of Emerging Technologies on Auditors” and the sessions were arranged on sub-themes to cover a broad review of current issues of interest to auditors and to control/security specialists. In the first session, Bill W. Murray, now of Ernst & Whinney, but formerly for 25 years with IBM, examined the impact of the convergence of computing, recording and communications technologies on computer audit control and security. He contrasted data security in the pre-computer age which was based on the security of the media (for example, holding paper-based records in lockable cabinets and mailing information in sealed envelopes) with that of computer systems. Contrary to popular belief, Murray argued, the computer had proved superior to paper so long as the environment was controlled as well as the media. A well-controlled computer system could restrict access to data and provide greater accountability by recording who had access to data and when. This combination of media and environmental controls would not however be adequate for the future. The new problem which had arisen was that the boundaries of the control environment may no longer be coincident with the boundaries of a single system or a single organization or institution. Planning and organizing effective access control systems in a wider environment is difficult enough when all of the application is on one readily identifiable system, usually all in one site and with a limited number of identifiable managers. “As the number of applications, systems, sites, managers and users in the environment goes up, it becomes increasingly difficult for anyone to have the necessary knowledge and influence to specify controls and access rules”,
COMPUTER FRAUD & SECURITY BULLETIN
0 1988 Elsevier Science Publishers Ltd., England. /SS/$O.OO + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol. 10, No. 9, Page 14 Murray said. Controls over the integrity and confidentiality of data would need to be independent of both the media and the environment. Murray saw the solution to control in the joint use of the Data Encryption Standard and Rivest-Shamir-Adelman algorithms, and concluded that the application of crytography would be the major agenda item for the next two decades. Professor Krish Bhaskar of the Computer Industry Research Unit of the University of East Anglia, UK presented a paper entitled “A Secure Workstation for the 1990s”. He suggested that the greater power of workstations, their networking and their use for more diverse roles had brought an increased risk in terms of the perpetration of computer fraud. The solution was to devise a secure workstation environment by adopting a threat/countermeasures matrix approach. Having identified the threats and the counter-measures, risk analysis could be used to consider the possibility of threats and the cost/benefit measurement of alternative solutions. Bhaskar’s research however had suggested that the commercial products available at present were limited in the security that they provided. Most software packages for microcomputer systems offered little or no inherent security measures. “We have also found current security considerations to be modest in terms of the implementations found amongst both financial and other organizations. There are exceptions to this, but generally standards are low and will remain low until user awareness of computer crimes is increased and demand for improved provisions rises accordingly.” Richard Sizer of Logica SDS Ltd also commented on the effects on security of the knowledge and awareness of computer crime. He argued that while UK legislation in the form of the Official Secrets Act and the Data Protection Act has helped to form a security culture in the areas covered by those acts, the UK financial domain does not have a strong security culture in so far as information technology is concerned. He compared this with the US where there is a statutory obligation for fraud and embezzlement to be reported and
COMPUTER FRAUD & SECURITY BULLETIN
as a result the need for computer security appears to be taken more seriously. One particular target for attack is software. Since software is expensive to create and to maintain, common sense would dictate that it is a vulnerable element. Software can be threatened by modification, disclosure, interruption or destruction. “The most obvious form of attack is that of deliberate modification. The high profile victims of unauthorized program changes have been the banks and financial institutions, but it is clear that any company, organization or institution which uses a computer systems to facilitate financial or asset administration could be the victims of such attacks”, said Sizer. The possible resultant losses should not be underestimated. One would expect the detection of unauthorized changes to be the natural consequence of an established culture and well-defined security policy. The evidence would suggest, however, that the majority of detections have been ‘accidental’, security being either grossly insufficient or ineptly implemented. Security thinking, policies and responsibilities are not high enough on the agenda of commercial organizations.
Clive Blatchford of ICL also agreed that the security of information systems had been approached in a piece-meal ad-hoc fashion. Basic product security had been supplemented by customers with a range of control ‘add-ons’. Management had emphasized security enforcements through a wide range of human administrative actions. Little dependence had been placed on the electronic systems components to ‘police’ themselves and each other. This reliance upon human control had been found to be insufficient to protect against ‘insiders’ perpetrating a computer-related crime, especially where they have a high level of technical knowledge. Market research by ICL had shown that 75% of all such crimes were perpetrated by the customer’s own staff. The crimes embraced the three main security categories of loss of privacy, integrity and basic continuity or availability of service.
0 1988 Elsevier Science Publishers Ltd., England. /l36/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol.
10, No. 9, Page 15
Blatchford forecast that information systems in the 1990s would be characterized by information services being offered to end users with a recognized and inviolate level of security. Security architectures, standards and procedures which were in the public domain would, if followed, ensure maximum administrative and technical robustness. Systems solutions would have a graded level of administrative assurance and there would be increasingly independent certification of products and services. The problems and potential losses posed by weaknesses in computer security are not the only costs borne by organizations implementing technological solutions. COMPACS ‘88 delegates clearly recognized this, and the day which attracted the highest attendance was that which considered the control and audit issues of systems development. Rainer Burchett examined the risks of uncontrolled systems development and the strategic problems which occur when the applications to be developed are identified and chosen in an haphazard manner rather than in relation to the true needs of the business. A planned approach is required and the choice of applications should be decided by the use of cost-benefit justification. For those projects accepted, a structural development process must be introduced subject to management and quality control. One means of quality control was considered by Carol Westwood, a Systems and Process Quality Assurance Manager with the Unipart Group of Companies. Quality Assurance should produce high-level independent reports to Senior Management on systems functions performance, monitor the project management process, and carry out reviews during systems development and on a post-implementation basis to ensure that the system is delivering the benefits required and expected. The third aspect of systems development is that of designing controls is during new systems developments. Jerry Fitzgerald outlined his ‘Control Matrix’ approach and demonstrated the use of software to automate the process (for a description of Fitzgerald’s Control Matrix
COMPUTER FRAUD & SECURITY BULLETIN
approach, see the January 1988 edition of CFSB). David Bentley President Institute of In ternal Auditors UK Stephen Dance adds: During his lecture, Bill Murray of Ernst & Whinney startled the audience by revealing that DEC VAX computers were the most often ‘hacked’ of all computer systems. This was not, he emphasized, due to any particular weakness in VAX software. Rather, the underlying reasons are of a more fundamental nature and can easily be dealt with by any installation. DEC VAX computers are extensively used in educational establishments where the users are actively encouraged to learn as much as possible about the system. Consequently, detailed information such as technical documentation is readily available. From this documentation, students can obtain detailed explanations and usage instructions for systems software products, database and communications software. Of particular interest may be the systems installation manuals in which the system managers’ and system engineers’ passwords are often detailed. These passwords are already set when a system is delivered to enable the supplied software to be installed. Often these passwords are not changed when implementation is complete. It is this lax password control and ready availability of information, said Mr Murray, which makes the VAX the most ‘hacked’ machine. The passwords in question confer high systems privileges on the holder, and detailed information regarding VAX software has enabled hackers to establish connections with installations from one end of the country to another - and even across continents. It was then revealed why some installations and their networks are continually being hacked. Again, exotic technical considerations are not the reason. Hackers tend to co-operate with one another and, via their underground bulletin boards, publish ‘sweet lists’.
o 1988 Elsevier Science Publishers Ltd., England. /88/$0.00 + 2.20 No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means. electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publishers (Readers in the U.S.A. - please see special regulations listed on back cover.]
Vol.
10, No. 9, Page 16 about security. Security for Small Computer Systems uses non-technical language to enable the non-specialist office user to understand the basic concepts of PC security. The result of an EEC Small System Security research project, this book was written by staff from four
A ‘sweet list’ is a list of passwords which have worked or are likely to work on a particular computer system. Apparently, the initial values of the system engineer’s and system manager’s passwords figure highly in these lists. And, because, when they are supplied, these passwords are very simple, they are also easy to guess. It is not difficult to see how quickly this information can be disseminated and how many different individuals could have the
European computer companies. The cover price is f35, Discounts for multiple orders are also available.
opportunity to gain unauthorized computer installation.
The PC Security Guide is an invaluable reference guide for the UK, US or European
access to a
user searching The overall message is that the risks of being ‘hacked’ can be greatly reduced by sound password control and administration. Avoiding obvious passwords and regular password changes make things much more difficult for the would-be hacker.
NEW ELSEVIER
for hardware or software to
protect his PC. Aimed primarily at the IBM and compatible market, the book also lists software compatibility with other PCs and mainframes. It is written by two regular contributors to CFSB, Dr Keith Jackson and Dr Jan Hruska. This f95 directory will be revised on an annual basis. For more information on both books, contact: Edward Wilding, Marketing Executive, Elsevier Advanced Technology Publications, Mayfield House, 256 Banbury Road, Oxford OX2 7DH, UK; tel: 0865512242; fax: 0865-516120.
PUBLICATIONS
Two special reports about to be published by Elsevier Advanced Technology Publications will be of enormous use to the PC user worried
Computer Fraud & Security Subscription Price (inc. shipping & handling) iT $ 265.00 135.00 1 year (12 issues) 3 years (36 issues) 635.00 325.00
Dfl. 630.00 1510.00
Subscription enquiries, orders and payments: Elsevier Services (UK) Crown House Lmton Road Barking Essex IGll8JU England Tel: 01-594-7272
Elsevrer Advanced Technology 52 Vanderbilt Avenue New York, NY 10017 USA Tel: (212) 370-5520
Publications
Editorial enquiries: Elsevier Advanced Technology Mayfield House 256 Banbury Road Oxford OX2 7DH England Tel: (0865) 512242
Publications
No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Special regulations for readers In the U.S.A.
ADVANCED TECHNOLOGY
This publication has been reglstered with the Copynght Clearance Center Inc Consent IS gwen for copymg of articles for personal or mternal use, or for the personal use of specific chents. The consent 1s gwen on the condition that the copier pays through the Center the per-copy fee stated m the code on each page for copymg beyond that perrmtted by Sectlons 107 or 108 of the U.S. Copynght Law. The appropriate fee should be forwarded with a copy of each page reproduced to the CopyrIght Clearance Center Inc., 21 Congress Street, Salem MA 01970. U.S.A. This consent does not extend to other kmds of copying, such as for general distribution, resale, advertismg and promotlon purposes, or for creating new collective works. Special written permission must be obtamed from the pubhsher for such copymg.
ELICATIONS
Pr,n,ed ,n Great !3r,,a,n by Express L,tho Service (Oxford)